package org.glite.security.util;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.regex.Pattern;
import javax.net.ssl.SSLSocket;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/glite/security/util/HostNameChecker.class */
public class HostNameChecker {
    private static final Logger LOGGER = Logger.getLogger(HostNameChecker.class);
    public static final Pattern ipPattern = Pattern.compile("[\\d\\.]+|[\\d\\:]+");
    public static final byte[] localhostIPv4 = IPAddressComparator.parseIP("127.0.0.1");
    public static final byte[] localhostIPv6 = IPAddressComparator.parseIP("::1");

    public static void checkHostname(String str, SSLSocket sSLSocket) throws IOException {
        if (!sSLSocket.isConnected()) {
            throw new IOException("Socket is not open, can't check the host certificate!");
        }
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (!(peerCertificates[0] instanceof X509Certificate)) {
            sSLSocket.close();
            throw new IOException("Non X509 certificate given during SSL/TLS handshake, couldn't handle it. Class was: " + peerCertificates[0].getClass().getName());
        }
        X509Certificate x509Certificate = (X509Certificate) peerCertificates[CertUtil.findClientCert((X509Certificate[]) peerCertificates)];
        try {
            if (checkHostName(str, x509Certificate)) {
                return;
            }
            sSLSocket.close();
            throw new IOException("Hostname " + str + " not allowed with certificate for DN: " + DNHandler.getSubject(x509Certificate).getRFCDN());
        } catch (CertificateParsingException e) {
            sSLSocket.close();
            throw new IOException("Invalid certificate received, error was: " + e.getMessage());
        }
    }

    public static boolean checkHostName(String str, X509Certificate x509Certificate) throws CertificateParsingException {
        String lowerCase;
        if (str.indexOf(47) < 0) {
            lowerCase = str.trim().toLowerCase();
        } else {
            try {
                lowerCase = new URL(str.trim()).getHost().toLowerCase();
            } catch (MalformedURLException e) {
                throw new IllegalArgumentException("Illegal URL given for the certificate host check: " + str);
            }
        }
        boolean z = ipPattern.matcher(lowerCase).matches();
        if (z) {
            byte[] parseIP = IPAddressComparator.parseIP(lowerCase);
            if (parseIP.length < 6) {
                if (IPAddressComparator.compare(parseIP, localhostIPv4)) {
                    LOGGER.debug("Localhost IPv4 address given, bypassing hostname - certificate matching.");
                    return true;
                }
            } else if (IPAddressComparator.compare(parseIP, localhostIPv6)) {
                LOGGER.debug("Localhost IPv6 address given, bypassing hostname - certificate matching.");
                return true;
            }
        } else if (lowerCase.equals("localhost")) {
            LOGGER.debug("Localhost address given, bypassing hostname - certificate matching.");
            return true;
        }
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames != null) {
            for (List<?> list : subjectAlternativeNames) {
                int intValue = ((Integer) list.get(0)).intValue();
                if (intValue == 2) {
                    if (z) {
                        continue;
                    } else {
                        String str2 = (String) list.get(1);
                        if (checkDNS(lowerCase, str2)) {
                            return true;
                        }
                        LOGGER.debug("Hostname \"" + lowerCase + "\" does not match \"" + str2 + "\".");
                    }
                } else if (intValue == 7 && z) {
                    String str3 = (String) list.get(1);
                    if (checkIP(lowerCase, str3)) {
                        return true;
                    }
                    LOGGER.debug("Hostname \"" + lowerCase + "\" does not match \"" + str3 + "\".");
                }
            }
        }
        if (checkBasedOnDN(lowerCase, x509Certificate)) {
            return true;
        }
        LOGGER.debug("Hostname \"" + lowerCase + "\" does not match DN \"" + DNHandler.getSubject(x509Certificate).getRFCDN() + "\".");
        return false;
    }

    private static boolean checkBasedOnDN(String str, X509Certificate x509Certificate) {
        javax.security.auth.x500.X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        return (subjectX500Principal == null || "".equals(subjectX500Principal.getName()) || !checkDN(str, DNHandler.getDN(subjectX500Principal))) ? false : true;
    }

    private static boolean checkIP(String str, String str2) {
        byte[] parseIP = IPAddressComparator.parseIP(str2);
        byte[] parseIP2 = IPAddressComparator.parseIP(str);
        if (parseIP.length == parseIP2.length) {
            return IPAddressComparator.compare(parseIP, parseIP2);
        }
        return false;
    }

    private static boolean checkDNS(String str, String str2) {
        if (str2.indexOf(42) < 0) {
            return str.trim().equalsIgnoreCase(str2);
        }
        return str.toLowerCase().matches(str2.replaceAll("\\*", "[^\\.]*").toLowerCase());
    }

    private static boolean checkDN(String str, DN dn) {
        String lastCNValue = dn.getLastCNValue();
        if (lastCNValue == null) {
            return false;
        }
        int indexOf = lastCNValue.indexOf(47);
        if (indexOf >= 0) {
            lastCNValue = lastCNValue.substring(indexOf + 1, lastCNValue.length());
        }
        return checkDNS(str, lastCNValue);
    }
}
